Add codesign step

Signed-off-by: falkTX <falktx@falktx.com>
mod-audio · Mar 11, 2024 · ddf258e · ddf258e
1 parent 13eaef5
commit ddf258e
Show file tree

Hide file tree

Showing 5 changed files with 163 additions and 8 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,11 +7,12 @@ env:
   CACHE_VERSION_MACOS: 20
   CACHE_VERSION_WIN64: 19
   DEBIAN_FRONTEND: noninteractive
+  HOMEBREW_NO_AUTO_UPDATE: 1
   PAWPAW_FAST_MATH: 1
   PAWPAW_SKIP_LTO: 1
   PAWPAW_SKIP_TESTS: 1
   RELEASE_OS_LINUX: ubuntu:18.04
-  RELEASE_OS_MAC: macos-11
+  RELEASE_OS_MAC: macos-12
   RELEASE_OS_WIN64: ubuntu:22.04
 
 jobs:
@@ -211,17 +212,18 @@ jobs:
             target: macos-10.15
           - os: macos-12
             target: macos-universal-10.15
-          - os: macos-13
-            target: macos-10.15
-          - os: macos-13
-            target: macos-universal-10.15
+          # - os: macos-13
+          #   target: macos-10.15
+          # - os: macos-13
+          #   target: macos-universal-10.15
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Set up dependencies
         run: |
+          brew uninstall --ignore-dependencies --force azure-cli aws-sam-cli php
           ./src/PawPaw/.github/workflows/bootstrap-deps.sh ${{ matrix.target }}
           brew install p7zip wget
       - name: Set up cache
@@ -239,9 +241,10 @@ jobs:
         run: |
           make PAWPAW_TARGET=${{ matrix.target }}
       - name: Validate plugins
-        if: steps.cache.outputs.cache-hit == 'true'
+        if: false
+        #if: steps.cache.outputs.cache-hit == 'true'
         run: |
-          ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
+          # ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
           # FIXME dirty carla leaves temp folders around
           rm -rf *.tmp
       - name: Set version tag for release
@@ -254,6 +257,13 @@ jobs:
           echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV
       - name: Pack
         if: steps.cache.outputs.cache-hit == 'true'
+        env:
+          CODESIGN_APP_IDENTITY: ${{ secrets.CODESIGN_APP_IDENTITY }}
+          CODESIGN_PKG_IDENTITY: ${{ secrets.CODESIGN_PKG_IDENTITY }}
+          CODESIGN_APP_P12_CONTENTS: ${{ secrets.CODESIGN_APP_P12_CONTENTS }}
+          CODESIGN_PKG_P12_CONTENTS: ${{ secrets.CODESIGN_PKG_P12_CONTENTS }}
+          CODESIGN_APP_P12_PASSWORD: ${{ secrets.CODESIGN_APP_P12_PASSWORD }}
+          CODESIGN_PKG_P12_PASSWORD: ${{ secrets.CODESIGN_PKG_P12_PASSWORD }}
         run: |
           ./utils/macos/macos-pkg.sh ${{ matrix.target }}
           if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then

diff --git a/src/mod-ui b/src/mod-ui
diff --git a/utils/macos/entitlements.plist b/utils/macos/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+</dict>
+</plist>
diff --git a/utils/macos/macos-dmg.sh b/utils/macos/macos-dmg.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -d build ]; then
+  echo "Please run this script from the root folder"
+  exit
+fi
+
+if [ "$(uname -m)" = "x86_64" ] && [ x"${1}" != x"macos-universal-10.15" ]; then
+    PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-10.15"
+else
+    PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-universal-10.15"
+fi
+
+rm -rf build/dmg build/*.dmg
+rm -rf mod-ui/mod/__pycache__
+rm -rf mod-ui/mod/communication/__pycache__
+rm -rf mod-ui/modtools/__pycache__
+./utils/pack-html.sh
+
+# create dmg dir for placing patched app bundle inside
+mkdir build/dmg
+gcp -rL "build/mod-desktop.app" "build/dmg/MOD Desktop.app"
+
+# patch rpath for Qt libs and jack tools
+pushd "build/dmg/MOD Desktop.app/Contents"
+
+rm -rf Frameworks/*/*.prl
+rm -rf Frameworks/*/Headers
+rm -rf Frameworks/*/Versions
+rm -rf MacOS/data
+
+QTLIBS=("Core" "Gui" "OpenGL" "PrintSupport" "Svg" "Widgets")
+
+for f in $(ls Frameworks/*/Qt* PlugIns/*/libq*.dylib); do
+    for q in "${QTLIBS[@]}"; do
+        install_name_tool -change "@rpath/Qt${q}.framework/Versions/5/Qt${q}" "@executable_path/../Frameworks/Qt${q}.framework/Qt${q}" "${f}"
+    done
+done
+
+for f in $(ls MacOS/lib/libmod_utils.so MacOS/libjack*.dylib); do
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjack.0.dylib" "${f}"
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+done
+
+for f in $(ls MacOS/jackd MacOS/jack/*.so); do
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+done
+
+popd
+
+# sign app bundle
+if [ -n "${CODESIGN_APP_IDENTITY}" ]; then
+    security create-keychain -p dummypassword build.keychain
+    security unlock-keychain -p dummypassword build.keychain
+    security set-keychain-settings -lut 21600 build.keychain
+
+    echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12
+    security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security
+    rm codesign.p12
+
+    security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
+    security list-keychains -d user -s build.keychain login.keychain
+
+    mv "build/dmg/MOD Desktop.app/Contents/PlugIns/LV2" "build/dmg/LV2"
+
+    codesign -s "${CODESIGN_APP_IDENTITY}" \
+        --deep \
+        --force \
+        --verbose \
+        --timestamp \
+        --option runtime \
+        --entitlements "utils/macos/entitlements.plist" \
+        "build/dmg/MOD Desktop.app"
+
+    for f in $(find -name "*.dylib" build/dmg/LV2); do
+        codesign -s "${CODESIGN_APP_IDENTITY}" \
+        --force \
+        --verbose \
+        --timestamp \
+        --option runtime \
+        --entitlements "utils/macos/entitlements.plist" \
+        "${f}"
+    done
+
+    mv "build/dmg/LV2" "build/dmg/MOD Desktop.app/Contents/PlugIns/LV2"
+fi
+
+# create dmg
+hdiutil create "mod-desktop-$(cat VERSION)-macOS.dmg" -srcfolder build/dmg -volname "MOD Desktop" -fs HFS+ -ov
+
+if [ -n "${CODESIGN_IDENTITY}" ]; then
+    codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option runtime "mod-desktop-$(cat VERSION)-macOS.dmg"
+    security delete-keychain build.keychain
+fi
+
+# cleanup
+rm -rf build/dmg
+
+# xcrun notarytool store-credentials build-notary --apple-id xyz --team-id xyz --password xyz
+# xcrun notarytool submit choptones-amps-macOS.pkg --keychain-profile "build-notary" --wait
diff --git a/utils/macos/macos-pkg.sh b/utils/macos/macos-pkg.sh
@@ -51,12 +51,42 @@ done
 
 popd
 
+# sign app bundle
+if [ -n "${CODESIGN_APP_IDENTITY}" ]; then
+    security create-keychain -p dummypassword build.keychain
+    security unlock-keychain -p dummypassword build.keychain
+    security set-keychain-settings -lut 21600 build.keychain
+
+    echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12
+    security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security
+    rm codesign.p12
+
+    echo "${CODESIGN_PKG_P12_CONTENTS}" | base64 -d -o codesign.p12
+    security import codesign.p12 -f pkcs12 -P "${CODESIGN_PKG_P12_PASSWORD}" -k build.keychain -T /usr/bin/pkgbuild -T /usr/bin/productbuild -T /usr/bin/security
+    rm codesign.p12
+
+    security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
+    security list-keychains -d user -s build.keychain login.keychain
+
+    codesign -s "${CODESIGN_APP_IDENTITY}" \
+        --deep \
+        --force \
+        --verbose \
+        --timestamp \
+        --option runtime \
+        --entitlements "utils/macos/entitlements.plist" \
+        "build/pkg/MOD Desktop.app"
+
+    PKG_SIGN_ARGS=(--sign "${CODESIGN_PKG_IDENTITY}")
+fi
+
 # create base app pkg
 pkgbuild \
   --identifier "audio.mod.desktop-app" \
   --component-plist "utils/macos/build.plist" \
   --install-location "/Applications/" \
   --root "${PWD}/build/pkg/" \
+  "${PKG_SIGN_ARGS[@]}" \
   build/mod-desktop.pkg
 
 # create final pkg
@@ -68,7 +98,11 @@ productbuild \
   --identifier "audio.mod.desktop-app" \
   --package-path "${PWD}/build" \
   --version 0 \
+  "${PKG_SIGN_ARGS[@]}" \
   mod-desktop-$(cat VERSION)-macOS.pkg
 
 # cleanup
 rm -rf build/pkg
+[ -n "${CODESIGN_APP_IDENTITY}" ] && security delete-keychain build.keychain
+
+exit 0